From: Brian Davis <bdavis@thepoint.net>
Date: Sun, 3 Dec 95 16:29:06 PST
To: Jonathan Zamick <JonathanZ@consensus.com>
Subject: Re: Netscape gives in to key escrow
In-Reply-To: <v02120d02ace53224f233@[157.22.240.13]>
Message-ID: <Pine.BSF.3.91.951203191056.6206B-100000@mercury.thepoint.net>
MIME-Version: 1.0
Content-Type: text/plain


On Fri, 1 Dec 1995, Jonathan Zamick wrote:

> 
> >And thus we return to my original point, which is that it will depend on
> >what is said/disclosed.  If every copy of GAKscape had a banner, bigger
> >than the Netscape "N" which said, "The government can read every message
> >you send using this software no matter what you do" then I think
> >consumers will be hard pressed to say they weren't warned.
> 
> I don't mean to be inflamatory, but it isn't much of a point. They aren't
> going to put such a banner up because that would limit their business. The

Once again, I must disagree.  Several bulletin boards I frequent include 
an opening banner announcing that, essentially, all messages left there 
are "public" and can be read by anyone.  I can get the exact language if 
you like.  The message specifically refers to the wiretapping statute, 18 
U.S.C. Section 2510 et seq.  This keeps the sysop, arguably, from 
suffering civil liability if mail is intercepted.  Nobody reads the 
banner, but I believe that it has more effect than a fig leaf.

> goal of Netscape (though I don't single them out), any corporation that would
> profit from business of those who seek encryption while still allowing GAK,
> and the government, is to limit the public's awareness of the size of the
> hole. If they let people know the extent of the hole, then they'll use
> products w/out it which blows profits from companies involved, and doesn't
> benefit the government who want it in common use.
> 
> >I disagree.  Almost nobody read the fine print on the back of a note you
> >sign when you buy a car or otherwise take out a loan, but the provisions
> >are generally enforceable ...  Ignorance is not necessarily an excuse.
> 
> The question is whether there was false representation of the security of
> the product.
> 1. The general knowledge of encryption and secure electronic financial
> transactions is significantly lower than that of more standard
> transactions.
> 
But how many of those who are less knowledgable about such things expect 
the level of privacy you automatically infer?  Is that expectation 
reasonable?  Does the party have any duty to inquire???

> 2. Applying for a loan or buying a car involve actively going out, negotiating,
> signing contracts, etc. It will be much simpler to simply stick your vital
> info into a 'secure' browser.
> 
Getting a browser involves going to the store and installing the software 
or surfing to a site and downloading the software.  Then it must be 
installed.

> 3. The choice of browser to use will be done, based on representations by
> companies about the security of their product. If Netscape doesn't
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
I doubt it in the case of the less sophisticated (and the more 
sophisticated are on their own).  I suspect that Mr. Newbie is more 
likely to pick a browser on the basis of what his friend tells him,  or 
what PC Computing tells him, or the fact that he read about Netscape in 
the business section of the paper.  

> explicitly
> state in direct terms when accessing the browser that the GAK is a
> potential security risk, then they will be sued. Simply because someone
> will get blamed.

Getting sued and being liable are very different, just as getting charged 
with a crime and having done something morally wrong can be very 
different.  I am much less confident than you apparently are that the 
court system (and products liability law) are likely to impose duties on 
the makers of browsers such as you suggest.  In an advancing 
technological area, I don't believe that liability will be imposed so 
quickly, especially if some disclosure is made.  What disclosure is 
required is likely to be fact specific on a case by case basis until the 
law has time to develop some sort of standards.

Can I expect to recover from Ford for my injuries in a car wreck because 
I would not have been hurt in a Volvo, when Ford meets all federal 
standards?  Generally not. 

> Since they (or again any company that incorporates GAK.. I really don't
> want to target Netscape in specific) will make the threat sound as
> insignificant as possible, and not bring it to people's attention (and they
> can't afford to do so) when (not if) it is breached they will be taken to
> court repeatedly.

Don't forget, taking them to court takes $$$.  And they only have $5 
Billion to pay for lawyers ...

 > > >
> >EBD
> 
> Jonathan
> 
> ------------------------------------------------------------------------
> ..Jonathan Zamick                    Consensus Development Corporation..